malwarewikiaorg-20200223-history
RSAUtil
RSAUtil is a ransomware that runs on Microsoft Windows. It was discovered by xXToffeeXx. It is oriented to English-speaking users. Behavior Unlike most ransomware, RSAUtil does not have an list of file extensions it targets. This means that many executables on the computer will become encrypted as well. Payload Transmission RSAUtil is distributed by the developer hacking into remote desktop services and uploading a package of files. This package contains a variety of tools, a config file that determines how the ransomware executes, and the ransomware itself. This package is used to prep the computer for the installation of the RSAUtil ransomware. Infection The CMD file is used by the hacker to clear all of the event logs on the machine to clean up traces of how the machine was compromised. The config.cfg file is the configuration file used by the RSAUtil ransomware component when performing the encryption. The various directives control whether the ransomware has encrypted the computer already, what ID to use, what email to use, the ransom note name, the encrypted file extension, and the public encryption key to use to encrypt files. The DontSleep_x64.exe and DontSleep_x64.ini files are used to stop the computer from going to sleep or hibernating. This is done so that the hacker does not lose connection and so that the ransomware does not get interrupted. How_return_files.txt is the ransom note that will be placed in every folder that a file is encrypted. Image.jpg is an image file that the desktop background should be set to. It states the following: Hello my friend! All files on your PC encryphted! my email: helppme@india.com or hepl1112@aol.com NE SPAT.bat is used to configure various remote desktop services options. This file is run by the hacker to make it so they will not be disconnected from the Remote Desktop connection when they are idle. When the hacker has prepped the computer using the package's CMD/batch files and executables, it is time for them to encrypt the targets computer. To do this they simply execute the svchosts.exe program and it will begin to scan the computer, mapped drivers, and unmapped network shares for files to encrypt. While encrypting files it will use the encryption key found in the config.cfg fil and append an extension to the encrypted files based on various information in the config file. For example in the sample xXToffeeXx discovered, it has the following settings: Id:83624883 Mail:helppme@india.com Expansion:{MAIL}.ID{ID} This means that the extension that is appended will be in the format .helppme@india.com.ID83624883. So a file named test.jpg will be encrypted as test.jpg.helppme@india.com.ID83624883. When the ransomware has finished encrypting files it will display a lock screen that tells the user to contact helppme@india.com or hepl111@aol.com to receive payment instructions. Once payment is made, a victim will receive a decryption key that they can input into the lock screen to decrypt their files. The lock screen says the following: WARNING !!! Your ID 83624883 OUR FILES ARE DECRIPTED Your documents, photos, database, save games and other important data was encrypted. Data recovery the necessary interpreter. To get the interpreter, should send an email to helppme@india.com or hepl1112@aol.com. In a letter to include Your personal ID (see the beginning of this document). In response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer. When money transfer is confirmed, You will receive the decrypter file for Your computer. After starting the programm-interpreter, all your files will be restored. Attention! Do not attempt to remove a program or run the anti-virus tools. The ransomware will also create ransom notes named How_return_files.txt in every folder that a file was encrypted. It states the same thing as the lock screen. Category:Delphi Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 Category:Win32 trojan Category:Trojan